Encrypting mail in Thunderbird

Encrypting Mail

Enigmail has three basic modes: sign, encrypt, and sign and encrypt simultaneously. When you sign an email, the add-on will use your private key to sign the text.

If the recipient uses Enigmail or a similar solution, they will be able to detect manipulation easily. At the same time, the signature lets you verify that an email really is from the person who claims to have sent it. However, this mode does not encrypt messages; they are sent in the clear.

In encrypt mode, Enigmail will not sign the message, but it will encrypt the message with the recipient's public key to make sure that only the intended recipient can read the message. Of course, encryption does not let the recipient verify the identity of the sender.

For the best of both worlds, you would want to let Enigmail encrypt the message with the recipient's public key while signing it with your own private key. This mode is a must for confidential messages.

To test your setup, try sending a message to yourself. In Thunderbird, compose a new message: Enter your own email address as the recipient, add a subject line, and add body text. To encrypt and sign the message at the same time, which hopefully is the configuration you have chosen, select OpenPGP | Encrypt message and send the message. At this time, you will be prompted to enter your passphrase.

In a few seconds, you should receive a message. If your password is still in memory (five-minute limit), Enigmail automatically will decrypt; if not, it will prompt you for your password. Thunderbird will tell you that the message was correctly signed and decrypted and that the signer's key has been correctly identified. An email that is not correctly encrypted is useless to the recipient.

Key Management

To encrypt a message for another recipient, the procedure is basically the same as in the previous example: Compose an email in the normal way and select the corresponding menu item to tell Enigmail to encrypt, or sign, or both. A correspondent might send you an encrypted message, too. But where does the key enter into this?

To sign the message, you do not need the recipient's key. In the worst case, the recipient might not use GnuPG-compatible encryption and will wonder what the signature in the message means, but this will not prevent them reading the message. However, this does not apply to encryption.

To read an encrypted message, the recipient needs GnuPG or a compatible solution, and you must know the recipient's public key.

To exchange encrypted messages with a contact, both of you need each other's public keys.

Previously, I looked at two critical identifying characteristics of a key: its ID (this is 90690901 for the 2,048-bit version in the example), and its fingerprint (AF84 9339 … in the example). Among the various approaches, you can exchange keys personally (i.e., by email or USB stick.)

To send a public key by email, create a message and click Attach my public key in the OpenPGP menu, which tells Thunderbird to add an attachment with your key to the mail. Then send the email with a text explaining the attachment to the recipient.

Key Servers

In addition to this, there are key servers that do nothing but keep public keys that anybody can retrieve. Publishing your own public key on a key server makes sense.

To do so, open the OpenPGP menu in the Thunderbird mail view and select Key Management…. This takes you to the Key Manager dialog, which shows you a list of keys (your key ring) – your own key and keys belonging to people with whom you exchange messages. Right click your own key and select Upload public keys to key server….

In the dialog that appears, press OK to confirm the default key server – most key servers replicate their data anyway – then OK again to tell Enigmail to upload the key to the key server.

Downloading third-party keys is just as easy. If you receive a signed message but do not have a local copy of the matching key, Enigmail will tell you that the key is missing. To retrieve the key from a key server, you can click the letter icon on the right of the window. Also, you can search for a key manually via OpenPGP | Key Management… | Key server | Find key… and store the key locally. Search for the user's name, the key ID, or the email address.

If you receive a key as an email attachment – that is, if somebody you correspond with sends you a key – right click the attachment and select Import OpenPGP key. After both of you have done this, you can exchange encrypted messages. But how do you make sure that the key is from the person the sender claims to be? The fingerprint I previously referred to gives you this ability. In the Key Manager (menu OpenPGP | Key Management…) you can double click a key to display its properties.

The fingerprint lets you verify a key's identity. If you want to be certain that the key really is from the person who claims to have sent it, you should use some other method to contact them. Phone the key owner, for example, and compare fingerprints on the phone. If the fingerprints match, you can safely assume that you have the right key and the right person. Now there really is nothing to stop you from exchanging encrypted messages.

Related content

The leading email applications include new features for helping users secure and authenticate their mail messages, but each tool has a different approach to handling tasks such as signing and encryption. This article describes how to add encryption and digital signatures to the Thunderbird, Kmail, and Evolution mail clients.

Don’t look now, but your mailbox is full of junk, and a snooper is live on a distant server, reading your opinions of your boss. Remember when email used to be easy? To restore some sanity to your correspondence, you’ll need the right tools.